Blog

Government Payment Processor Exposes Data On Millions Of Americans

If you use the GovPayNet portal, be advised that your personal information is currently at risk. Although at this point, there's no indication that any hacker has made use of it. The portal is run by Government Payment Service, and is used by many Americans to pay fines, fees and bills generated by more than two thousand different government agencies operating in 35 states.

Unfortunately, the way the website is configured, when it issues a receipt for a payment, it numbers those receipts sequentially. All a hacker would have to do would be to change the receipt number in the URL to see any previous receipts, and all of the information it contains.

When the flaw was discovered by journalist Brian Krebs, more than fourteen million old records were exposed in this manner. He contacted Government Payment Service to inform them of the flaw, and the agency moved quickly to address the issue. They said in a formal statement that they "did not adequately restrict access to only authorized recipients."

They went on to assure their users that there's no indication that any data had been improperly accessed. They added that the receipts generated don't include any information that could be used by a hacker to initiate any type of financial transaction.

Unfortunately, the reality was a bit different. The receipts contain the names, addresses and phone numbers of the person paying the fee in question, along with the last four digits of whatever credit or debit card was used to make payment. That is more than enough information to enable a hacker to initiate a phishing attack to get the rest.

Nick Bilorgoskiy of Juniper Networks had this to say about the matter:

"Online payment providers...should take special care to protect their customers' receipts by using HTTPS and checking that the user is logged in and has permissions to view them. To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any unnecessary files from web-accessible directories."

It's good advice, and here's hoping that Government Payment Service will take it. If you use the service, there's nothing for you to do. You don't need to change your password, since it was never exposed. Just be mindful that someone may have seen any data your receipts contain before the site was secured.